Linked by Thom Holwerda on Thu 5th Jan 2006 21:24 UTC
Windows Microsoft has officially released the patch that fixes the WMF flaw. The patch can be download individually here, but it is advised to simply use Windows Update. Yesterday, Microsoft said it would not release it until next Tuesday, but two (1 | 2) third party fixes were already available. And to make matters worse, Microsoft accidentally leaked their own patch to the Net yesterday.
Order by: Score:
Better late than never
by SEJeff on Thu 5th Jan 2006 21:41 UTC
SEJeff
Member since:
2005-11-05

Only what, a week after exploit code was released?

long live http://www.packetstormsecurity.org

Reply Score: 1

swell
by Resolution on Thu 5th Jan 2006 21:49 UTC
Resolution
Member since:
2005-11-14

So does this mean that any non-official fixes need to be removed or re-registered?

Reply Score: 1

RE: swell
by cfrankb on Thu 5th Jan 2006 22:13 UTC in reply to "swell"
cfrankb Member since:
2006-01-03

SANS ISC recommends removing Ilfak Guilfanov's patch (hexblog.com) and/or re-registering the shimgvw.dll *after* rebooting, installing Microsoft's patch, and rebooting again...

http://isc.sans.org/diary.php?storyid=1019

BTW, the link "1" in the parent post is malformed.

Reply Score: 1

WOW !
by raver31 on Thu 5th Jan 2006 21:54 UTC
raver31
Member since:
2005-07-06

from the FAQ....

[/i]"How does the extended support for Windows 98, Windows 98 Second Edition, and Windows Millennium Edition affect the release of security updates for these operating systems?
For these versions of Windows, Microsoft will only release security updates for critical security issues. Non-critical security issues are not offered during this support period. For more information about the Microsoft Support Lifecycle policies for these operating systems, visit the following Web site"[/i]

ALSO...

[/i]"Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by one or more of the vulnerabilities that are addressed in this security bulletin?
No. Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, the vulnerability is not critical because an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions."[/i]

yeah right, it affects ALL versions of Windows.

But, the icing on the cake is this one.....

"Extended security update support for Microsoft Windows NT Workstation 4.0 Service Pack 6a and Windows 2000 Service Pack 2 ended on June 30, 2004. Extended security update support for Microsoft Windows NT Server 4.0 Service Pack 6a ended on December 31, 2004. Extended security update support for Microsoft Windows 2000 Service Pack 3 ended on June 30, 2005. Iím still using one of these operating systems, what should I do?
Windows NT Workstation 4.0 Service Pack 6a, Windows NT Server 4.0 Service Pack 6a, Windows 2000 Service Pack 2, and Windows 2000 Service Pack 3 have reached the end of their support life cycles. It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities."


In laymans terms... You guys are screwed unless you update.

Edited 2006-01-05 21:58

Reply Score: 5

RE: WOW !
by MonsieurEvil on Fri 6th Jan 2006 01:10 UTC in reply to "WOW !"
MonsieurEvil Member since:
2005-12-15

But, the icing on the cake is this one.....

"Extended security update support for Microsoft Windows NT Workstation 4.0 Service Pack 6a and Windows 2000 Service Pack 2 ended on June 30, 2004. Extended security update support for Microsoft Windows NT Server 4.0 Service Pack 6a ended on December 31, 2004. Extended security update support for Microsoft Windows 2000 Service Pack 3 ended on June 30, 2005. Iím still using one of these operating systems, what should I do?
Windows NT Workstation 4.0 Service Pack 6a, Windows NT Server 4.0 Service Pack 6a, Windows 2000 Service Pack 2, and Windows 2000 Service Pack 3 have reached the end of their support life cycles. It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities."

In laymans terms... You guys are screwed unless you update.


Well, yeah. Is it practical and reasonable to support an OS for more than 10 years? Not really.

For comparison purposes:

Redhat - 7 years - http://www.redhat.com/en_us/USA/rhel/

Novell - 5 years (+2 extended if you pay) - http://support.novell.com/lifecycle/index.jsp

Sun - 7-8 years (hard to tell) - http://www.sun.com/software/solaris/releases.xml

NT 4.0 has had a good run, time to move on. Not running SP4 on 2000? Update, it's free. Using Win98? Patching is pointless, it's not a secure OS anyways, move on for your own good.

Reply Score: 2

RE[2]: WOW !
by Varg Vikernes on Fri 6th Jan 2006 05:08 UTC in reply to "RE: WOW !"
Varg Vikernes Member since:
2005-07-06

Apple - 1 year (or until 10.n+1 comes out)?

Reply Score: 1

RE[2]: WOW !
by raver31 on Fri 6th Jan 2006 19:41 UTC in reply to "RE: WOW !"
raver31 Member since:
2005-07-06

Windows 2000 is 10 years old ?

how many business have you worked in ? The majority of the ones I seen have data centres running Windows 2000 SP2 or SP3. The logistics of upgrading 4000 computers at once is a nightmare.

However, that was not the point I was making.

The point was this...

Microsoft should fix exploits in ALL versions of software it produces. Not just ones it wants you to use.

Reply Score: 2

RE[3]: WOW !
by MonsieurEvil on Fri 6th Jan 2006 22:06 UTC in reply to "RE[2]: WOW !"
MonsieurEvil Member since:
2005-12-15

Windows 2000 is 10 years old ?

No, NT 4.0 is. Like I said previously.

how many business have you worked in ?

Many, as I've mostly consulted for Fortune 100 and 500 companies over the past 10 years. I currently work for MS PSS.

The majority of the ones I seen have data centres running Windows 2000 SP2 or SP3. The logistics of upgrading 4000 computers at once is a nightmare.

Then they have lazy and inexperienced admins. Patch management of service packs is a fact of life. You can do it for free with WSUS, or pay out the pooper for larger scaled apps like SMS, Tivoli, Altaris, etc. The hard part is testing, but again, a fact of life. Deployment is trivial compared to the testing, but usually companies don't have 4000 different kinds of images to worry about testing on.

Microsoft should fix exploits in ALL versions of software it produces. Not just ones it wants you to use.

You want patches for everything, but you want them yesterday. With this theory, you just increased testing for 2000 alone by 6 times. It's simply not feasible. MS always supports N-1 for SP's on an OS. In the case of 2000, it's N-1 from the post SP4 rollup to SP4. Service Pack 4 has been out for 3 years - if you aren't running it, you are not doing your job.

Reply Score: 0

RE[4]: WOW !
by MonsieurEvil on Fri 6th Jan 2006 22:55 UTC in reply to "RE[3]: WOW !"
MonsieurEvil Member since:
2005-12-15

(Forgot to mention):

And I'd not be able to name any OS that creates updates for every possible permutation of patch level. There's always a current baseline, with limited backporting.

To use the car analogy, if you are still driving a Model T in 2006, Ford is not going to give you a free replacement carbeurator when yours finally breaks...

Reply Score: 0

RE[5]: WOW !
by raver31 on Fri 6th Jan 2006 23:38 UTC in reply to "RE[4]: WOW !"
raver31 Member since:
2005-07-06

You really do not get it do you ?

Microsoft has a duty to provide support for its customers. These people bought Microsoft products and use Micrsoft products. If they want to upgrade, it is up to the customers to do that.

If you want to talk anologies, think of this one...

You have a Ford Cortina Mk1, and you have a mechanic who only works with Cortinas. The car has been running sweet for 30 years, but suddenly, fuel will not pump. You contact Ford and they say "Piss off, buy a Galaxy, we only support cars that are under 3 years"
I think you would all get competitors cars after that.


BTW, dont even bother trying to reply. I looked at your profile and you have had more posts taken down than put up, the mark of a troll and all your posts sound like those of a schill.

Reply Score: 1

RE[6]: WOW !
by n4cer on Sat 7th Jan 2006 02:08 UTC in reply to "RE[5]: WOW !"
n4cer Member since:
2005-07-06

Microsoft has a duty to provide support for its customers. These people bought Microsoft products and use Micrsoft products. If they want to upgrade, it is up to the customers to do that.

It's also up to the customers to realise that at a certain point, their configurations are no longer supported. The support schedule is well known and published, and MS' cycle is one of the longest in the industry. There are plenty other companies where you'd be lucky to get free support beyond 1 year. At some point, you're going to have to pay if you want continued support. This isn't anything new or unusual.

Reply Score: 1

RE[6]: WOW !
by MonsieurEvil on Sat 7th Jan 2006 16:23 UTC in reply to "RE[5]: WOW !"
MonsieurEvil Member since:
2005-12-15

Microsoft has a duty to provide support for its customers. These people bought Microsoft products and use Micrsoft products. If they want to upgrade, it is up to the customers to do that.

Just Microsoft? As I've been consistent in pointing out in this thread, this sort of behavior is normal in all OS companies, and in fact MS is far more liberal than most. You just dislike MS, so that colors your replies. You had no comment on Redhat, Novell, or Sun supporting for only 5-7 years, nor that they also require baseline patching.

You have a Ford Cortina Mk1, and you have a mechanic who only works with Cortinas. The car has been running sweet for 30 years, but suddenly, fuel will not pump. You contact Ford and they say "Piss off, buy a Galaxy, we only support cars that are under 3 years"
I think you would all get competitors cars after that.


I don't understand the analogy. Ford would say that, and they'd be right. Although most car makers continue to stock parts for 5 years or so.

BTW, dont even bother trying to reply. I looked at your profile and you have had more posts taken down than put up, the mark of a troll and all your posts sound like those of a schill.

From my profile:

Number of Comments: 20 (9 voted up, 3 voted down)

As a side note, I like how the rest of my previous statements I made in reply to you were ignored. ;-) If contradicting people in this discussion forum makes me a schill, guilty as charged. It would be pretty boring if we all agreed though... you know, like Slashbot...

Reply Score: 1

How am I not surprised?
by ZaNkY on Thu 5th Jan 2006 22:08 UTC
ZaNkY
Member since:
2005-10-18

How am I not surprised?

I'm GLAD that MS released the patch, a little late, but at least they are PARTIALLY ATTEMPTING to dig themselves out of the whole they are in. Thatís assuming they care, which they SHOULD........



I feel sad for all those people that can't get patches lol

Raver31, I would vote your comment up, but I have no votes left ;)

Thanks for the good information, I have yet to read any of the links due to time constraints ATM for me.

--ZaNkY

Reply Score: 1

how?
by Thom_Holwerda on Thu 5th Jan 2006 22:15 UTC
Thom_Holwerda
Member since:
2005-06-29

I don't see how releasing a patch that affects 95% of the computing world, spread over different versions, a week after the vuln. is discovered, can be considered late.

Someone, please enlighten me.

Reply Score: 5

RE: how?
by Resolution on Thu 5th Jan 2006 22:26 UTC in reply to "how?"
Resolution Member since:
2005-11-14

Because response time should be measured in hours, not weeks. When over 100 varients of an unpatched exploit are out in the wild, and you still haven't released a patch, then yeah, you are late.

Reply Score: 5

RE[2]: how?
by nemith on Thu 5th Jan 2006 23:20 UTC in reply to "RE: how?"
nemith Member since:
2005-07-28

I would love to see a Dev, QA, and release team release a patch to an operation system in a couple of hours.

I am sorry, this isn't linux where you are QA and release team.

Reply Score: 3

RE[3]: how?
by dylansmrjones on Fri 6th Jan 2006 14:36 UTC in reply to "RE[2]: how?"
dylansmrjones Member since:
2005-10-02

Correct. And that's the problem apparently ;)

A week is a week too late for anything this serious.

Reply Score: 1

RE[2]: how?
by ivans on Fri 6th Jan 2006 11:47 UTC in reply to "RE: how?"
ivans Member since:
2005-12-03

You had 2 different unofficial patches, from Ilfak and ESET that work flawlessly, the first one being released in a couple of hours, packed inside MSI so that it could easily be distributed via group policy.

You had at least one workaround (unregistering shimgvw.dll) that COMPLETELY mitigates this vulnerability.

You have several AntiViruses reportedly (http://www.av-test.org) blocking EVERY exploit variant (206 known exploit were tested), and some of them are even FREE for home use (ClamAV even for corporate).

You have snort signatures (http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/CURRENT_EVENT...), and a known list of web sites distributing the exploits that every cabable admin blocked access to.

Most e-mail clients (I use gmail) won't even show images from unknown sources, and the only way to get infected is _manually_ visiting malicious XXX/warez site with exploit.

So tell me how is this "late", when the bug isn't even remotely exploitable without manual interaction. I just installed MS hotfix and gdi32.dll has a timestamp on December 28th, what means that MS fixed this bug almost IMMEDIATELY, and the only think that got it delayed was thoroughly testing it required in the lab.

Windows core components are not Firefox 1.0.x, when new versions were built just to get around broken extensions. What would you tell your customers if Mozilla broke some APIs your mission-critical application required?

Microsof has the right balance between security and reliability it guarantees to it's customers. This WMF flaw is nothing serious, just a media-overhyped minor bug that came in an unfortunate time of holidays when IT news are generaly lacking. You see no high-profile worm propagating with this bug, because it is nothing serious.

Reply Score: 3

RE[3]: how?
by Anonymous. on Fri 6th Jan 2006 16:43 UTC in reply to "RE[2]: how?"
Anonymous. Member since:
2005-12-04

This WMF flaw is nothing serious, just a media-overhyped minor bug that came in an unfortunate time of holidays when IT news are generaly lacking.

hmm...
* the flaw allows remote execution of code
* windows has several known unfixed privilege escalation vulnerabilities ( http://secunia.com/advisories/11633/ for example)

how can this be "overhyped"? even most "careful" users can have their system completely compromised by this bug...

Reply Score: 1

RE[2]: how?
by cfrankb on Thu 5th Jan 2006 23:32 UTC in reply to "how?"
cfrankb Member since:
2006-01-03

It's interesting to note that PivX, the security company with Thor Larholm that became infamous for their huge 'Still unpatched IE vulnerablities' page a few years ago, created preEmpt (formerly called Qwik-fix) which blocked all vectors of the WMF vulnerabilities with their auto-update to preEmpt clients on December 7th. I haven't heard/read about the update breaking any WMF related functionality.

Reply Score: 1

RE[3]: how?
by Nalle on Fri 6th Jan 2006 06:48 UTC in reply to "how?"
Nalle Member since:
2005-07-06

To me at least, it's a point in itself that there exist 3.rd party patches before Microsoft themselves are able to make one. Then they're late.

./nalle.

Reply Score: 1

RE[4]: how?
by CrazyDude0 on Fri 6th Jan 2006 08:01 UTC in reply to "RE[3]: how?"
CrazyDude0 Member since:
2005-07-10

Ok then please do us a favor and don't use windows. Thanks now and pretty please piss off ;)

BTW 3rd party patch developer himself said, his patch is a work around. He was just patching the API instead of proper solution.

Reply Score: 2

RE[5]: how?
by dylansmrjones on Fri 6th Jan 2006 14:38 UTC in reply to "RE[4]: how?"
dylansmrjones Member since:
2005-10-02

Ok then please do us a favor and don't use windows. Thanks now and pretty please piss off ;)

And you, young man, ought to learn how to reply in decent manner ;)

I consider the whole charade extremely hilarious. Microsoft this, Microsoft that, please don't use 3rd party fix, we won't release before a couple of weeks, ooh geez we leaked our fix, hey dudes we released our fix...

Duuuh... PR amateurs ;)

Reply Score: 1

By the way...
by Buck on Thu 5th Jan 2006 22:34 UTC
Buck
Member since:
2005-06-29

Think of all the poor souls who "see no patch", much like it was with Sasser et al. Many people may be unaware of the threat.

Reply Score: 1

1 week??
by ZaNkY on Thu 5th Jan 2006 23:04 UTC
ZaNkY
Member since:
2005-10-18

That is so true, I plan on going around tomorrow to various people I meet during the course of my day and ask them: So what do you think about WMF?

See how many people will have a clue.....lol

and Thom:

I don't know exactly how long the vuln has been "known", but lets say one week.

7 * 24 = 168 hours

It takes probably an hour to write up a patch for this vuln. Please don't flame me for saying ONE hour. I'm sure it could be done in that time considering all the "unofficial" patches that have popped up and all those instructions to unregister a dll and stuff like that....doesnít seem hard to meÖ. But letís give MS the benefit of the doubt and say it takes longer.

bottom line is that the patch can be written in a day. Especially considering how critical it is and the "potential" for damage. next? TeStInG. How long can that possibly take? I would go as bold to say again a couple hours, possibly a whole day.

So we're looking at 2 days to write a patch, test it, and then distribute it. And do so on the first available moment (not next Tuesday! ;) ). 2 days = 48 hours. Thereís 120 hours left thereÖ.

This is all considering that A multi-billion (perhaps trillion) dollar company, with near endless resources and motivation, who LOVES their customers and wants only to do good is involved.

If you notice, the first ones above apply to MS, but they get bleaker and bleaker ;)



To sum up, Thom: 1 week to write a patch for a vuln is ok. 1 week to write a CRITICAL patch that has near invincibility and affects nearly the entire world (sadly)? NOT OK.

--ZaNkY

Reply Score: 1

RE: 1 week??
by Thom_Holwerda on Thu 5th Jan 2006 23:16 UTC in reply to "1 week??"
Thom_Holwerda Member since:
2005-06-29

There are more factors.

First, it they must decide on what is actually the best method for how to fix this flaw. All that must go through bureauocracy (it's a big company). Then, they actually do the fixing. Then comes the hard part. Testing.

They must make sure that their new patch breaks absolutely NOTHING. Imagine the damage if suddenly nobody could use Office anymore because the patch somehow affects Office? Or any of the other gazillion applications companies and individuals depend on each day? Do you really think they can test that in a few hours?

Look, I'm not saying that it can't be faster-- all I'm saying is that MS has to take a lot more possible user scenarios into account because they supply 95% of the computing world, instead of just a few percentages (very simply put).

Reply Score: 5

RE[2]: 1 week??
by peejay on Fri 6th Jan 2006 14:26 UTC in reply to "RE: 1 week??"
peejay Member since:
2005-06-29

They must make sure that their new patch breaks absolutely NOTHING. Imagine the damage if suddenly nobody could use Office anymore because the patch somehow affects Office? Or any of the other gazillion applications companies and individuals depend on each day? Do you really think they can test that in a few hours?

Would you rather Office and your other applications stopped working because of an early MS patch, or because your machines were compromised?

Convenience (like easy-to-guess passwords, not challenging the person walking in the door behind you, or relying on the hope that you won't be infected before a patch is issued so that your apps don't break) seems to be the greatest enemy to security measures.

Reply Score: 1

RE[3]: 1 week??
by n4cer on Fri 6th Jan 2006 20:28 UTC in reply to "RE[2]: 1 week??"
n4cer Member since:
2005-07-06

Would you rather Office and your other applications stopped working because of an early MS patch, or because your machines were compromised?

If your business depended on Office (your internal apps use it as a backend, for example), you'd do better with a patch that works instead of one that shuts down your business. Most corporate networks have AV and other services that already provided a level of mitigation for the WMF issue anyway. Plus most corporate users run as standard users.

Reply Score: 1

RE: 1 week??
by thurston on Thu 5th Jan 2006 23:20 UTC in reply to "1 week??"
thurston Member since:
2005-09-28

In you're idyllic situation, the patch would probably be exploited as fast as it was released. Allowing a day for testing would imply that the code was written perfect the first time and there were no errors, or bugs while the patch was being written. In the world of coding I live in, undertesting causes most of my problems.

A week is a quick turn around for a situation as critical as this in an environment as complex as Windows.

Reply Score: 5

RE: 1 week??
by Celerate on Fri 6th Jan 2006 03:22 UTC in reply to "1 week??"
Celerate Member since:
2005-06-29

"It takes probably an hour to write up a patch for this vuln."

Ok, I'm not fond of the long wait either, but consider this:

Microsoft has been around for a long time, their operating system too. It's fair to assume that they use code from at least as far back as the 90's, more likely some time in the late 80's for some parts of their software. That's code reuse for you, it's a good time saver and it makes sense to keep the code if it works rather than waste time replacing it (and if bugs are found later that doesn't mean all the code needs to be scrapped, just fixed). Now Microsoft has had employees come and go from the company since then, no doubt most of the ones working on the really old code aren't around any more, and if they are do you really think they'll remember something from five years ago, nevermind a decade or more ago? They would have a general idea based on what part of the OS is affected where the vulnerability is, but it would still take time to search through all that source code to find out where exactly they need to make their changes, and whether or not those changes would fix the problem entirely, or whether someone could find a way to get around those changes. So do you still think one hour is a good estimate? I'd figure they'd need a couple at least just to get the code fixed up, and then I'd give them a day or two to get it compiled and tested to make sure it's safe for the public before they release it. A week may be a bit much, but a a day or two isn't unreasonable when you have a company with very old code and only so many employees who can be dedicated to the task of fixing bugs and security holes.

Reply Score: 2

RE: 1 week??
by Anonymous. on Fri 6th Jan 2006 16:26 UTC in reply to "1 week??"
Anonymous. Member since:
2005-12-04

I don't know exactly how long the vuln has been "known", but lets say one week.
i've known about it since i was in high school, but it wasn't quite as serious back then because the windows picture and fax viewer didn't exist and everyone was still using netscape 4... of course no one expected anything bad to happen from opening an ms word document (which can contain embedded wmf images), so i was still able to play a few hilarious practical jokes on a couple of my friends...

Reply Score: 1

re: 1 week??
by anyweb on Thu 5th Jan 2006 23:17 UTC
anyweb
Member since:
2005-07-06

don't forget all the other languages that are supported.

They _also_ have to be tested. That takes a bit longer than your 2 days.

cheers
anyweb

Reply Score: 2

RE: re: 1 week??
by unoengborg on Fri 6th Jan 2006 04:12 UTC in reply to "re: 1 week??"
unoengborg Member since:
2005-07-06

Multiple languages, shouldn't affect the time to get the patch ready, as development and testing of different languages could be done in parallell.

By the way, some tests to show that the patch doesn't break any needed functionality should allready be written assuming that the software was tested during its original development process.

Reply Score: 1

RE[2]: re: 1 week??
by CrazyDude0 on Fri 6th Jan 2006 06:46 UTC in reply to "RE: re: 1 week??"
CrazyDude0 Member since:
2005-07-10

By the way, some tests to show that the patch doesn't break any needed functionality should allready be written assuming that the software was tested during its original development process.

What are you? a moron? This software had a design flaw and the feature exposed by WMF could be exploited. If you remove that feature aka bad design aka bug, what if there are some apps that are relying on it in some obscure manner?

Reply Score: 0

RE[3]: re: 1 week??
by dylansmrjones on Fri 6th Jan 2006 14:40 UTC in reply to "RE[2]: re: 1 week??"
dylansmrjones Member since:
2005-10-02

And there you go again, being rude and all... so sad.

Reply Score: 1

v Any RPM available?
by Joe User on Thu 5th Jan 2006 23:17 UTC
microshag
Member since:
2005-11-30

That's the good news. That bad news is it did take a couple of third party patches plus a leak of their own to kick them in the ass. Still, at least we know now how to speed things up in Redmond in the future. It's nice to know to MS can encouraged to move faster.

Reply Score: 1

Mike Nash on WMF Vulnerability
by mono on Fri 6th Jan 2006 00:32 UTC
mono
Member since:
2005-10-19

Mike Nash on the Security Update for the WMF Vulnerability
http://blogs.technet.com/msrc/archive/2006/01/05/416980.aspx

"[...] actually creating the update was a straight forward process. The challenge was testing the update on all of the supported versions of Windows and the 23 languages we support and making sure that the set of applications that might be effected by this update are not negatively affected by this change."

Reply Score: 3

modmans2ndcoming Member since:
2005-11-09

it is AFFECTED, not EFFECTED.

Thing1 is AFFECTED by thing2...

Thing2 has an EFFECT on Thing1...

sheesh

Reply Score: 2

Considering...
by Bajan on Fri 6th Jan 2006 03:15 UTC
Bajan
Member since:
2006-01-05

A vulnerability as serious as this and as widespread as windows is, one week to produce a cleanly working patch isn't all that bad.

Considering in the history of the Windows Os there were some vulnerabilities that were never resolved but only had workarounds.

Makes me wonder if the "leak" was an unofficial testbed.

Reply Score: 3

v This is very good news
by ApproachingZero on Fri 6th Jan 2006 05:51 UTC
@raver31
by rockwell on Fri 6th Jan 2006 15:08 UTC
rockwell
Member since:
2005-09-13

//In laymans terms... You guys are screwed unless you update.//

WRONG. You're screwed if:

You're a dumbass computer user, and click on anything that pops up on your screen.

Careful PC use easily circumvents this, and myriad other "massive security holes." It's all anti-MS hype.

Reply Score: 0

RE: @raver31
by raver31 on Fri 6th Jan 2006 17:27 UTC in reply to "@raver31"
raver31 Member since:
2005-07-06

have you benn paying attention at all ?
this vuln requires NO user intervention at all

Reply Score: 3

RE[2]: @raver31
by captain_knobjockey on Fri 6th Jan 2006 17:31 UTC in reply to "RE: @raver31"
captain_knobjockey Member since:
2005-08-23

yeah, you just have to visit a web site that has the exploit on it.

it does not even have to be a porn/warez site, it could be any site, even this one.

Microsoft themselves said that the exploit is against ALL versions of Windows and the user needs to do nothing.

That guy is so pro-microsoft he has not got a clue

Reply Score: 2

Nothing serious?
by DonQ on Fri 6th Jan 2006 18:12 UTC
DonQ
Member since:
2005-06-29

Actually this flaw is serious, so serious that even I myself downloaded this MS patch - has never happened before (I don't talk about normal updates, just about downloading/installing specific security fixes).

Why? Two main reasons:

* because this is one of the very few vulnerabilities, which can affect any user despite his knowledge about security, his surfing habits, his favourite browser/mailer, his firewall and other security measures etc etc;
* because this flaw affects Win core component - GDI32 and thereby can (possibly?) run code in kernel space or at least at very high privilege level.

About testing such patch - one week is IMHO very good result. 3rd party patches don't need through testing; patch autors are not responsible for breaking any dependent applications or system components. Microsoft is; and of GDI32 depend ... all GUI applications, not less.

Of course tests can be run in parallel, probably they did so. Unfortunately even one full testing pass may take days - I hope that Microsoft has developed very through testing system. (Testing against bugs of course, testing against unknown vulnerabilities is generally not possible.)

Reply Score: 1